Exida announced today that it has merged with Byres Security Research to “form the world’s first company offering functional safety and security certification and consultation”. Since Exida is much larger it appears to be more of an acquisition than merger. And entering soap opera territory, it also reunites to some degree Byres with his [...]

More security audit files are now available from Bandolier, a Digital Bond project funded by the US Department of Energy. We are excited to announce beta versions for the OSIsoft PI Enterprise Server (versions 3.3.x-3.4.x) and Emerson Ovation (version 3.1 family) applications. Asset owners and integrators will now be able to audit the security settings of [...]

An IM discussion with Jason Holcomb in regards to his recent post set my mind in motion.
English philosopher/logician William Ockham postulated in the 14th century(quoting Wikipedia) “When multiple competing hypotheses are equal in other respects, the principle recommends selecting the hypothesis that introduces the fewest assumptions and postulates the fewest entities.” Derivatives of this thought include; “Entities must not [...]

The disclosure debate is raging once again and its even seeing some discussion on the SCADA mailing lists.  This was stirred up by the No More Free Bugs “campaign” announced at Cansecwest by Miller, Sotirov, and Dai Zovi.  Accomplished guys and names that should at least sound familiar if you try to stay current on [...]

There have been many critical infrastructure and smart grid “cyber attack” discussions and articles in recent weeks. The April issue of Popular Mechanics even addresses the topic in the article “How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?“. I wanted to point this one out for a couple of reasons.
First, it’s a decent [...]

This Month In Control System Security podcasts are back after a two-month hiatus. This month I have a special interview with Sean McGurk, the Director of the DHS Control System Security Program. I think you will enjoy this wide ranging discussion and get a better idea of what this important group does and plans to [...]

 

 This Month in Control System Security [33:31m]: Play Now | Play in Popup | Download

Two researchers from Microsoft’s Security Engineering Center (MSEC) gave an interesting presentation at the CanSecWest conference last week.  The researchers detailed a project created by MSEC that is supposed to help detect exploitable software.  The project, !exploitable (pronounced “bang exploitable”) Crash Analyzer, is a tool that helps automate the detection of bugs in an application [...]

A few odds and ends from the last three weeks:

Very cool. Secure DNP3 products are becoming available. Secure DNP3 add new function codes to DNP3 to provide source authentication as well as content authentication. The latest example is in an RTU from Semaphore.
GE has a new version of CIMPLICITY with some important new security features. [...]

Against the wishes of NEI and many operators, FERC published an order today regarding NERC CIP standard applicability in nuclear plants. To save you 32 pages of reading, I’ll attempt to summarize here.

There was an apparent gap in regulation as nuclear facilities were explicitly exempted in the CIP standards but not all cyber assets with [...]

As Jason Holcomb noted on this blog a few weeks back, there is a growing interest in apply the practice of whitelisting to control systems. In whitelisting a set of known “good” applications is created and maintained, and only applications from that list are allowed on systems in the environment. This in theory removes the [...]